Professional Documents
Culture Documents
Configuring IP Access Lists: Document ID: 23602
Configuring IP Access Lists: Document ID: 23602
Contents
Introduction
Prerequisites
Requirements
Components Used
Conventions
ACL Concepts
Masks
ACL Summarization
Process ACLs
Define Ports and Message Types
Apply ACLs
Define In, Out, Inbound, Outbound, Source, and Destination
Edit ACLs
Troubleshoot
Types of IP ACLs
Network Diagram
Standard ACLs
Extended ACLs
Lock and Key (Dynamic ACLs)
IP Named ACLs
Reflexive ACLs
TimeBased ACLs Using Time Ranges
Commented IP ACL Entries
ContextBased Access Control
Authentication Proxy
Turbo ACLs
Distributed TimeBased ACLs
Receive ACLs
Infrastructure Protection ACLs
Transit ACLs
Related Information
Introduction
This document describes how IP access control lists (ACLs) can filter network traffic. It also contains brief
descriptions of the IP ACL types, feature availability, and an example of use in a network.
Access the Software Advisor (registered customers only) tool in order to determine the support of some of the
more advanced Cisco IOS IP ACL features.
RFC 1700
contains assigned numbers of wellknown ports. RFC 1918
contains address allocation for
private Internets, IP addresses which should not normally be seen on the Internet.
Note: ACLs might also be used for purposes other than to filter IP traffic, for example, defining traffic to
Network Address Translate (NAT) or encrypt, or filtering nonIP protocols such as AppleTalk or IPX. A
discussion of these functions is outside the scope of this document.
Prerequisites
Requirements
There are no specific prerequisites for this document. The concepts discussed are present in Cisco IOS
Software Releases 8.3 or later. This is noted under each access list feature.
Components Used
This document discusses various types of ACLs. Some of these are present since Cisco IOS Software
Releases 8.3 and others were introduced in later software releases. This is noted in the discussion of each type.
The information in this document was created from the devices in a specific lab environment. All of the
devices used in this document started with a cleared (default) configuration. If your network is live, make sure
that you understand the potential impact of any command.
Conventions
Refer to Cisco Technical Tips Conventions for more information on document conventions.
ACL Concepts
This section describes ACL concepts.
Masks
Masks are used with IP addresses in IP ACLs to specify what should be permitted and denied. Masks in order
to configure IP addresses on interfaces start with 255 and have the large values on the left side, for example,
IP address 209.165.202.129 with a 255.255.255.224 mask. Masks for IP ACLs are the reverse, for example,
mask 0.0.0.255. This is sometimes called an inverse mask or a wildcard mask. When the value of the mask is
broken down into binary (0s and 1s), the results determine which address bits are to be considered in
processing the traffic. A 0 indicates that the address bits must be considered (exact match); a 1 in the mask is a
"don't care". This table further explains the concept.
Mask Example
network address
(traffic that is to be
processed)
mask
network address
(binary)
mask (binary)
10.1.1.0
0.0.0.255
00001010.00000001.00000001.00000000
00000000.00000000.00000000.11111111
Based on the binary mask, you can see that the first three sets (octets) must match the given binary network
address exactly (00001010.00000001.00000001). The last set of numbers are "don't cares" (.11111111).
Therefore, all traffic that begins with 10.1.1. matches since the last octet is "don't care". Therefore, with this
mask, network addresses 10.1.1.1 through 10.1.1.255 (10.1.1.x) are processed.
Subtract the normal mask from 255.255.255.255 in order to determine the ACL inverse mask. In this example,
the inverse mask is determined for network address 172.16.1.0 with a normal mask of 255.255.255.0.
255.255.255.255 255.255.255.0 (normal mask) = 0.0.0.255 (inverse mask)
Note these ACL equivalents.
The source/sourcewildcard of 0.0.0.0/255.255.255.255 means "any".
The source/wildcard of 10.1.1.2/0.0.0.0 is the same as "host 10.1.1.2".
ACL Summarization
Note: Subnet masks can also be represented as a fixed length notation. For example, 192.168.10.0/24
represents 192.168.10.0 255.255.255.0.
This list describes how to summarize a range of networks into a single network for ACL optimization.
Consider these networks.
192.168.32.0/24
192.168.33.0/24
192.168.34.0/24
192.168.35.0/24
192.168.36.0/24
192.168.37.0/24
192.168.38.0/24
192.168.39.0/24
The first two octets and the last octet are the same for each network. This table is an explanation of how to
summarize these into a single network.
The third octet for the previous networks can be written as seen in this table, according to the octet bit position
and address value for each bit.
Decimal
32
33
34
35
36
37
38
39
128
64
32
16
0
M
Since the first five bits match, the previous eight networks can be summarized into one network
(192.168.32.0/21 or 192.168.32.0 255.255.248.0). All eight possible combinations of the three loworder bits
are relevant for the network ranges in question. This command defines an ACL that permits this network. If
you subtract 255.255.248.0 (normal mask) from 255.255.255.255, it yields 0.0.7.255.
accesslist acl_permit permit ip 192.168.32.0 0.0.7.255
192.168.146.0/24
192.168.147.0/24
192.168.148.0/24
192.168.149.0/24
The first two octets and the last octet are the same for each network. This table is an explanation of how to
summarize these.
The third octet for the previous networks can be written as seen in this table, according to the octet bit position
and address value for each bit.
Decimal
146
147
148
149
128
64
32
16
1
M
Unlike the previous example, you cannot summarize these networks into a single network. If they are
summarized to a single network, they become 192.168.144.0/21 because there are five bits similar in the third
octet. This summarized network 192.168.144.0/21 covers a range of networks from 192.168.144.0 to
192.168.151.0. Among these, 192.168.144.0, 192.168.145.0, 192.168.150.0, and 192.168.151.0 networks are
not in the given list of four networks. In order to cover the specific networks in question, you need a minimum
of two summarized networks. The given four networks can be summarized into these two networks:
For networks 192.168.146.x and 192.168.147.x, all bits match except for the last one, which is a
"don't care." This can be written as 192.168.146.0/23 (or 192.168.146.0 255.255.254.0).
For networks 192.168.148.x and 192.168.149.x, all bits match except for the last one, which is a
"don't care." This can be written as 192.168.148.0/23 (or 192.168.148.0 255.255.254.0).
This output defines a summarized ACL for the above networks.
! This command is used to allow access access for devices with IP
! addresses in the range from 192.168.146.0 to 192.168.147.254.
accesslist 10 permit 192.168.146.0 0.0.1.255
Process ACLs
Traffic that comes into the router is compared to ACL entries based on the order that the entries occur in the
router. New statements are added to the end of the list. The router continues to look until it has a match. If no
matches are found when the router reaches the end of the list, the traffic is denied. For this reason, you should
have the frequently hit entries at the top of the list. There is an implied deny for traffic that is not permitted. A
singleentry ACL with only one deny entry has the effect of denying all traffic. You must have at least one
permit statement in an ACL or all traffic is blocked. These two ACLs (101 and 102) have the same effect.
In this example, the last entry is sufficient. You do not need the first three entries because TCP includes
Telnet, and IP includes TCP, User Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP).
! This command is used to permit Telnet traffic
! from machine 10.1.1.2 to machine 172.16.1.1.
accesslist 101 permit tcp host 10.1.1.2 host 172.16.1.1 eq telnet
During configuration, the router also converts numeric values to more userfriendly values. This is an
example where you type the ICMP message type number and it causes the router to convert the number to a
name.
accesslist 102 permit icmp host 10.1.1.1 host 172.16.1.1 14
becomes
accesslist 102 permit icmp host 10.1.1.1 host 172.16.1.1 timestampreply
Apply ACLs
You can define ACLs without applying them. But, the ACLs have no effect until they are applied to the
interface of the router. It is a good practice to apply the ACL on the interface closest to the source of the
traffic. As shown in this example, when you try to block traffic from source to destination, you can apply an
inbound ACL to E0 on router A instead of an outbound list to E1 on router C. An accesslist has a deny ip
any any implicitly at the end of any accesslist. If traffic is related to a DHCP request and if it is not explicity
permitted, the traffic is dropped because when you look at DHCP request in IP, the source address is s=0.0.0.0
(Ethernet1/0), d=255.255.255.255, len 604, rcvd 2 UDP src=68, dst=67. Note that the source IP address is
0.0.0.0 and destination address is 255.255.255.255. Source port is 68 and destination 67. Hence, you should
permit this kind of traffic in your accesslist else the traffic is dropped due to implicit deny at the end of the
statement.
Note: For UDP traffic to pass through, UDP traffic must also be permited explicitly by the ACL.
Edit ACLs
When you edit an ACL, it requires special attention. For example, if you intend to delete a specific line from a
numbered ACL that exists as shown here, the entire ACL is deleted.
! The accesslist 101 denies icmp from any to any network
! but permits IP traffic from any to any network.
router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
router(config)#accesslist 101 deny icmp any any
router(config)#accesslist 101 permit ip any any
router(config)#^Z
router#show accesslist
Extended IP access list 101
deny icmp any any
permit ip any any
router#
*Mar 9 00:43:12.784: %SYS5CONFIG_I: Configured from console by console
router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
router(config)#no accesslist 101 deny icmp any any
router(config)#^Z
router#show accesslist
router#
*Mar 9 00:43:29.832: %SYS5CONFIG_I: Configured from console by console
Copy the configuration of the router to a TFTP server or a text editor such as Notepad in order to edit
numbered ACLs. Then make any changes and copy the configuration back to the router.
You can also do this.
router#configure terminal
Enter configuration commands, one per line.
router(config)#ip accesslist extended test
! Permits IP traffic from 2.2.2.2 host machine to 3.3.3.3 host machine.
router(configextnacl)#permit ip host 2.2.2.2 host 3.3.3.3
! Permits www traffic from 1.1.1.1 host machine to 5.5.5.5 host machine.
router(configextnacl)#permit tcp host 1.1.1.1 host 5.5.5.5 eq www
! Permits icmp traffic from any to any network.
router(configextnacl)#permit icmp any any
! Permits dns traffic from 6.6.6.6 host machine to 10.10.10.0 network.
router(configextnacl)#permit udp host 6.6.6.6 10.10.10.0 0.0.0.255 eq domain
router(configextnacl)#^Z
1d00h: %SYS5CONFIG_I: Configured from console by consolesl
router#show accesslist
Extended IP access list test
permit ip host 2.2.2.2 host 3.3.3.3
permit tcp host 1.1.1.1 host 5.5.5.5 eq www
permit icmp any any
permit udp host 6.6.6.6 10.10.10.0 0.0.0.255 eq domain
Any deletions are removed from the ACL and any additions are made to the end of the ACL.
router#configure terminal
Enter configuration commands, one per line.
router(config)#ip accesslist extended test
You can also add ACL lines to numbered standard or numbered extended ACLs by sequence number in Cisco
IOS. This is a sample of the configuration:
Configure the extended ACL in this way:
Router(config)#accesslist 101 permit tcp any any
Router(config)#accesslist 101 permit udp any any
Router(config)#accesslist 101 permit icmp any any
Router(config)#exit
Router#
Issue the show accesslist command in order to view the ACL entries. The sequence numbers such as 10, 20,
and 30 also appear here.
Router#show accesslist
Extended IP access list 101
10 permit tcp any any
20 permit udp any any
30 permit icmp any any
Add the entry for the access list 101 with the sequence number 5.
Example 1:
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#ip accesslist extended 101
Router(configextnacl)#5 deny tcp any any eq telnet
Router(configextnacl)#exit
Router(config)#exit
Router#
In the show accesslist command output, the sequence number 5 ACL is added as the first entry to the
accesslist 101.
Router#show accesslist
Extended IP access list 101
5 deny tcp any any eq telnet
10 permit tcp any any
20 permit udp any any
30 permit icmp any any
Router#
Example 2:
internetrouter#show accesslists
Extended IP access list 101
10 permit tcp any any
15 permit tcp any host 172.162.2.9
20 permit udp host 172.16.1.21 any
30 permit udp host 172.16.1.22 any
internetrouter#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
internetrouter(config)#ip accesslist extended 101
internetrouter(configextnacl)#18 per tcp any host 172.162.2.11
internetrouter(configextnacl)#^Z
internetrouter#show accesslists
Extended IP access list 101
10 permit tcp any any
15 permit tcp any host 172.162.2.9
18 permit tcp any host 172.162.2.11
20 permit udp host 172.16.1.21 any
30 permit udp host 172.16.1.22 any
internetrouter#
Similarly, you can configure the standard access list in this way:
internetrouter(config)#accesslist 2 permit 172.16.1.2
internetrouter(config)#accesslist 2 permit 172.16.1.10
internetrouter(config)#accesslist 2 permit 172.16.1.11
internetrouter#show accesslists
Standard IP access list 2
30 permit 172.16.1.11
20 permit 172.16.1.10
10 permit 172.16.1.2
internetrouter(config)#ip accesslist standard 2
internetrouter(configstdnacl)#25 per 172.16.1.7
internetrouter(configstdnacl)#15 per 172.16.1.16
internetrouter#show accesslists
Standard IP access list 2
15 permit 172.16.1.16
30 permit 172.16.1.11
20 permit 172.16.1.10
25 permit 172.16.1.7
10 permit 172.16.1.2
The major difference in a standard access list is that the Cisco IOS adds an entry by descending order of the IP
address, not on a sequence number.
This example shows the different entries, for example, how to permit an IP address (192.168.100.0) or the
networks (10.10.10.0).
internetrouter#show accesslists
Standard IP access list 19
10 permit 192.168.100.0
15 permit 10.10.10.0, wildcard bits 0.0.0.255
19 permit 201.101.110.0, wildcard bits 0.0.0.255
25 deny any
Add the entry in access list 2 in order to permit the IP Address 172.22.1.1:
internetrouter(config)#ip accesslist standard 2
internetrouter(configstdnacl)#18 permit 172.22.1.1
This entry is added in the top of the list in order to give priority to the specific IP address rather than network.
internetrouter#show accesslists
Standard IP access list 19
10 permit 192.168.100.0
18 permit 172.22.1.1
15 permit 10.10.10.0, wildcard bits 0.0.0.255
19 permit 201.101.110.0, wildcard bits 0.0.0.255
25 deny
any
Note: The previous ACLs are not supported in Security Appliance such as the ASA/PIX Firewall.
Guidelines to change accesslists when they are applied to crypto maps
If you add to an existing accesslist configuration, there is no need to remove the crypto map. If you
add to them directly without the removal of the crypto map, then that is supported and acceptable.
If you need to modify or delete accesslist entry from an existing accesslists, then you must remove
the crypto map from the interface. After you remove crypto map, make all changes to the accesslist
and readd the crypto map. If you make changes such as the deletion of the accesslist without the
removal of the crypto map, this is not supported and can result in unpredictable behavior.
Troubleshoot
How do I remove an ACL from an interface?
Go into configuration mode and enter no in front of the accessgroup command, as shown in this example, in
order to remove an ACL from an interface.
interface <interface>
no ip accessgroup <aclnumber> in|out
2. Disable fast switching on the interfaces involved. You only see the first packet if fast switching is not
disabled.
config interface
no ip routecache
3. Use the terminal monitor command in enable mode in order to display debug command output and
system error messages for the current terminal and session.
4. Use the debug ip packet 101 or debug ip packet 101 detail command in order to begin the debug
process.
5. Execute the no debug all command in enable mode and the interface configuration command in
order to stop the debug process.
6. Restart caching.
config interface
ip routecache
Types of IP ACLs
This section of the document describes ACL types.
Network Diagram
Standard ACLs
Standard ACLs are the oldest type of ACL. They date back to as early as Cisco IOS Software Release 8.3.
Standard ACLs control traffic by the comparison of the source address of the IP packets to the addresses
configured in the ACL.
This is the command syntax format of a standard ACL.
accesslist accesslistnumber {permit|deny}
{host|source sourcewildcard|any}
In all software releases, the accesslistnumber can be anything from 1 to 99. In Cisco IOS Software Release
12.0.1, standard ACLs begin to use additional numbers (1300 to 1999). These additional numbers are referred
to as expanded IP ACLs. Cisco IOS Software Release 11.2 added the ability to use list name in standard
ACLs.
This is an example of the use of a standard ACL in order to block all traffic except that from source 10.1.1.x.
interface Ethernet0/0
ip address 10.1.1.1 255.255.255.0
ip accessgroup 1 in
accesslist 1 permit 10.1.1.0 0.0.0.255
Extended ACLs
Extended ACLs were introduced in Cisco IOS Software Release 8.3. Extended ACLs control traffic by the
comparison of the source and destination addresses of the IP packets to the addresses configured in the ACL.
This is the command syntax format of extended ACLs. Lines are wrapped here for spacing considerations.
IP
accesslist accesslistnumber
[dynamic dynamicname [timeout minutes]]
{deny|permit} protocol source sourcewildcard
destination destinationwildcard [precedence precedence]
[tos tos] [log|loginput] [timerange timerangename]
ICMP
accesslist accesslistnumber
[dynamic dynamicname [timeout minutes]]
{deny|permit} icmp source sourcewildcard
destination destinationwildcard
[icmptype [icmpcode] |icmpmessage]
[precedence precedence] [tos tos] [log|loginput]
[timerange timerangename]
TCP
accesslist accesslistnumber
[dynamic dynamicname [timeout minutes]]
{deny|permit} tcp source sourcewildcard [operator [port]]
destination destinationwildcard [operator [port]]
[established] [precedence precedence] [tos tos]
[log|loginput] [timerange timerangename]
UDP
accesslist accesslistnumber
[dynamic dynamicname [timeout minutes]]
{deny|permit} udp source sourcewildcard [operator [port]]
destination destinationwildcard [operator [port]]
[precedence precedence] [tos tos] [log|loginput]
[timerange timerangename]
In all software releases, the accesslistnumber can be 100 to 199. In Cisco IOS Software Release 12.0.1,
extended ACLs begin to use additional numbers (2000 to 2699). These additional numbers are referred to as
expanded IP ACLs. Cisco IOS Software Release 11.2 added the ability to use list name in extended ACLs.
The value of 0.0.0.0/255.255.255.255 can be specified as any. After the ACL is defined, it must be applied to
the interface (inbound or outbound). In early software releases, out was the default when a keyword out or in
was not specified. The direction must be specified in later software releases.
interface <interface>
ip accessgroup {number|name} {in|out}
This extended ACL is used to permit traffic on the 10.1.1.x network (inside) and to receive ping responses
from the outside while it prevents unsolicited pings from people outside, permitting all other traffic.
interface Ethernet0/1
ip address 172.16.1.2 255.255.255.0
ip accessgroup 101 in
accesslist 101 deny icmp any 10.1.1.0 0.0.0.255 echo
accesslist 101 permit ip any 10.1.1.0 0.0.0.255
Note: Some applications such as network management require pings for a keepalive function. If this is the
case, you might wish to limit blocking inbound pings or be more granular in permitted/denied IPs.
The singleentry ACL in this command is dynamically added to the ACL that exists after authentication.
accesslist accesslistnumber dynamic name {permit|deny} [protocol]
{source sourcewildcard|any} {destination destinationwildcard|any}
[precedence precedence][tos tos][established] [log|loginput]
[operator destinationport|destination port]
line vty line_range
login local
interface Ethernet0/0
ip address 10.1.1.1 255.255.255.0
ip accessgroup 101 in
accesslist 101 permit tcp any host 10.1.1.1 eq telnet
! 15 (minutes) is the absolute timeout.
accesslist 101 dynamic testlist timeout 15 permit ip 10.1.1.0 0.0.0.255
172.16.1.0 0.0.0.255
line vty 0 4
login local
After the user at 10.1.1.2 makes a Telnet connection to 10.1.1.1, the dynamic ACL is applied. The connection
is then dropped, and the user can go to the 172.16.1.x network.
IP Named ACLs
IP named ACLs were introduced in Cisco IOS Software Release 11.2. This allows standard and extended
ACLs to be given names instead of numbers.
This is the command syntax format for IP named ACLs.
ip accesslist {extended|standard} name
This is an example of the use of a named ACL in order to block all traffic except the Telnet connection from
host 10.1.1.2 to host 172.16.1.1.
interface Ethernet0/0
ip address 10.1.1.1 255.255.255.0
ip accessgroup in_to_out in
ip accesslist extended in_to_out
permit tcp host 10.1.1.2 host 172.16.1.1 eq telnet
Reflexive ACLs
Reflexive ACLs were introduced in Cisco IOS Software Release 11.3. Reflexive ACLs allow IP packets to be
filtered based on upperlayer session information. They are generally used to allow outbound traffic and to
limit inbound traffic in response to sessions that originate inside the router.
Reflexive ACLs can be defined only with extended named IP ACLs. They cannot be defined with numbered
or standard named IP ACLs, or with other protocol ACLs. Reflexive ACLs can be used in conjunction with
other standard and static extended ACLs.
This is the syntax for various reflexive ACL commands.
interface
This is an example of the permit of ICMP outbound and inbound traffic, while only permitting TCP traffic
that has initiated from inside, other traffic is denied.
ip reflexivelist timeout 120
interface Ethernet0/1
ip address 172.16.1.2 255.255.255.0
ip accessgroup inboundfilters in
ip accessgroup outboundfilters out
ip accesslist extended inboundfilters
permit icmp 172.16.1.0 0.0.0.255 10.1.1.0 0.0.0.255
evaluate tcptraffic
In this example, a Telnet connection is permitted from the inside to outside network on Monday, Wednesday,
and Friday during business hours:
interface Ethernet0/0
ip address 10.1.1.1 255.255.255.0
ip accessgroup 101 in
accesslist 101 permit tcp 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255
eq telnet timerange EVERYOTHERDAY
timerange EVERYOTHERDAY
periodic Monday Wednesday Friday 8:00 to 17:00
This is an example of the use of CBAC in order to inspect outbound traffic. Extended ACL 111 normally
block the return traffic other than ICMP without CBAC opening holes for the return traffic.
ip inspect name myfw ftp timeout 3600
ip inspect name myfw http timeout 3600
ip inspect name myfw tcp timeout 3600
ip inspect name myfw udp timeout 3600
ip inspect name myfw tftp timeout 3600
interface Ethernet0/1
ip address 172.16.1.2 255.255.255.0
ip accessgroup 111 in
Authentication Proxy
Authentication proxy was introduced in Cisco IOS Software Release 12.0.5.T. This requires that you have the
Cisco IOS Firewall feature set. Authentication proxy is used to authenticate inbound or outbound users, or
both. Users who are normally blocked by an ACL can bring up a browser to go through the firewall and
authenticate on a TACACS+ or RADIUS server. The server passes additional ACL entries down to the router
in order to allow the users through after authentication.
Authentication proxy is similar to lock and key (dynamic ACLs). These are the differences:
Lock and key is turned on by a Telnet connection to the router. Authentication proxy is turned on by
HTTP through the router.
Authentication proxy must use an external server.
Authentication proxy can handle the addition of multiple dynamic lists. Lock and key can only add
one.
Authentication proxy has an absolute timeout but no idle timeout. Lock and key has both.
Refer to the Cisco Secure Integrated Software Configuration Cookbook for examples of authentication proxy.
Turbo ACLs
Turbo ACLs were introduced in Cisco IOS Software Release 12.1.5.T and are found only on the 7200, 7500,
and other highend platforms. The turbo ACL feature is designed in order to process ACLs more efficiently
in order to improve router performance.
Use the accesslist compiled command for turbo ACLs. This is an example of a compiled ACL.
accesslist
accesslist
accesslist
accesslist
accesslist
101
101
101
101
101
permit
permit
permit
permit
permit
tcp
tcp
udp
udp
udp
host
host
host
host
host
10.1.1.2
10.1.1.2
10.1.1.2
10.1.1.2
10.1.1.2
host
host
host
host
host
172.16.1.1
172.16.1.1
172.16.1.1
172.16.1.1
172.16.1.1
eq
eq
eq
eq
eq
telnet
ftp
syslog
tftp
ntp
After the standard or extended ACL is defined, use the global configuration command in order to compile.
! Tells the router to compile.
accesslist compiled
Interface Ethernet0/1
ip address 172.16.1.2 255.255.255.0
! Applies to the interface.
ip accessgroup 101 in
The show accesslist compiled command shows statistics about the ACL.
ACL feature, timebased ACLs were not supported on line cards for the Cisco 7500 series routers. If
timebased ACLs were configured, they behaved as normal ACLs. If an interface on a line card was
configured with timebased ACLs, the packets switched into the interface were not distributed switched
through the line card but forwarded to the route processor in order to process.
The syntax for distributed timebased ACLs is the same as for timebased ACLs with the addition of the
commands in regards to the status of the Inter Processor Communication (IPC) messages between the route
processor and line card.
debug timerange ipc
show timerange ipc
clear timerange ipc
Receive ACLs
Receive ACLs are used in order to increase security on Cisco 12000 routers by the protection of the gigabit
route processor (GRP) of the router from unnecessary and potentially nefarious traffic. Receive ACLs were
added as a special waiver to the maintenance throttle for Cisco IOS Software Release 12.0.21S2 and
integrated into 12.0(22)S. Refer to GSR: Receive Access Control Lists for further information.
Transit ACLs
Transit ACLs are used in order to increase network security since they explicitly permit only required traffic
into your network or networks. Refer to Transit Access Control Lists: Filtering at Your Edge for further
information.
Related Information
RFC 1700
RFC 1918
Access Lists Support Page
Cisco IOS Firewall
Cisco IOS Software Support Resources
Technical Support & Documentation Cisco Systems